Sign up or log in to save this to your schedule and see who's attending!

There are a number of reasons to use source code to assist in web application penetration testing. Access to source code can help to make better use of penetration testers’ time by giving them access to answers about what underlying software is doing. In addition, access to source code provides penetration testers with deeper insight into the overall behavior of target systems. Finally, with the benefit of source code, penetration testing reports can help to highlight specific sections of code that are associated with identified vulnerabilities – allowing development teams to remediate vulnerabilities more efficiently.

The United States Department of Homeland Security (DHS) Science and Technology (S&T) Directorate has funded some research that can be used by penetration testers looking to benefit from source code access during their testing engagements. This technology is currently available in the open source ThreadFix plugin for the OWASP ZAP and dynamic application security testing tool, and will be used throughout the presentation to provide practical examples attendees can use for their own penetration tests.

This presentation walks through the “ABCs” of source code assisted web application penetration testing, covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. A web application’s attack surface refers to dynamically exposed endpoints where an attacker can control inputs to an application. These include the URLs an application will respond to as well as the entry points – parameters, cookies, HTTP headers – that the application uses that may change application behavior. Having access to the source lets an attacker enumerate all of these URLs as well as parameters and other entry points. Knowing these allows pen testers greater application coverage during testing. For example, some applications have page configurations such as landing pages that link back into the application, but where an application does not have outbound links. These would not be detected during a typical application crawl. Also, application with multi-step workflows may make it difficult for penetration testers to understand all steps in a workflow process. The presentation will walk through these scenarios and then demonstrate how the use the OWASP ZAP plugin to pre-seed the spidering process makes application scans more thorough.

In addition to identifying legitimate attack surface that can be hard for penetration testers to find on their own, access to source code can help to identify potential backdoors that have been intentionally added to the system. These backdoors can represent hidden or secret inputs that an application will accept, but that have been obfuscated so that they can be hard or impossible for pen testers to find on their own. Having access to the source can help identify potentially suspicious attack surface endpoints such as hidden admin consoles or secret backdoor parameters. The presentation will then demonstrate how the results of attack surface seeding, when combined with the results from standard application crawls, can help identify suspicious inputs that can represent application back doors.

Finally, the presentation will look at how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application. Specifically, how misconfiguration in platforms allowing auto-binding can allow attackers extensive control over inputs to an application – beyond what even security-knowledgeable developers might expect. Having access to source code can identify and enumerate these potential issues in ways that would be either difficult or time-consuming for penetration testers to find on their own. Demonstrations of these scenarios will also be provided.